By

Our take on the “soaksoak” (revslider) infection

Ethical reportingHere’s our review of the recent revslider plugin exploit – or as some call it, “soaksoak” (ouch).

On November 22, 2014 while removing malware from a number of sites, we noticed a large number of them had backdoor shells buried in the revslider folder. After the first 100+ sites, we noticed the pattern.

A little Google searching found this site: http://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/

Our first notification was to hosting providers we work with. We told them what to search for so they could alert their customers. The problem was that we did not report it to the right people. That was our mistake.

The first sites did not have any code injected into the swfobject.js or collect.js files, or the .html or .php files. The sites simply had numerous backdoor shells spread throughout the wp-includes, wp-admin and wp-content folders. It appears as if the hackers were looking for the deepest level folders they could find.

Some online searching showed very few infected sites. 1,100 sites. We did reach out to those website owners to let them know – not to try and drum up business but to be responsible. And discrete.

Many of the forums are reporting links to 122.155... but we’re also seeing links to other IP addresses as well. The injected malscript can be in just the swfobject.js files or all .js files, all .html and selected .php files.

Some of the sites have code injected into the collect.js file which apparently is the same code that the malicious links point to. This leads us to believe that the hackers could use these infected sites in their future malicious links and most recently we see the infectious code using the local sites URL pointing to the infected collect.js file.

You’ll find the malicious code in the template-loader.php file located in wp-includes folder. This should be replaced with a copy of the original file downloaded directly from the WordPress site.

We choose not to alert all the script kiddies
I know what you’re thinking, if we knew about this back in November, why didn’t we blog about it?

Our searches showed a growing number of sites being infected. As of December 17, 2014, we saw 307,000 sites still infected with this – and they have all been verified by us as well.

We did not want to be the one to let every script-kiddie know so they could go out searching for these sites and take advantage of the backdoor shell on all these sites. We’ve been contacting these site owners to let them know and we feel that is the responsible thing to do.

I’m not saying that this was reported wrong. I’m just saying we made the decision to not report it to the masses.

Maybe a missed opportunity. It’s not the first time and it won’t be the last.

By

The main difference – between those that do and those that don’t

We are the ones who do malware removal. We work in the trenches

We are the ones who do malware removal. We work in the trenches

The main difference – between those that do and those that don’t.

This is something I’ve been toiling over for some time now and it’s reached a full boil.

I continually read blog posts and articles about what “you” should do to protect your website from hackers.

I read it, then read the bio at the end and it all makes sense – these people are not living in the world of website security. They’re not even vacationing here.

One article I read actually focused on one main actionable item for website owners looking to increase their website security – add a section in your agreement with your web developer that makes it their responsibility for all website security issues.

Really?

How many of you web devs out there, think that’s justified?

And more to the point, does it really make your website more secure?

Today I read a blog post about what you can do about website security. It started off with keeping software updated. Which is totally sound advice. However, after that the author talked about SQL injection and cross-site scripting. Not what you should do to prevent it, but what it is.

Does awareness make you more secure by itself?

Knowing one way that SQL injection can be successful does nothing to the majority of website owner’s website security.

Nothing!

That’s like saying that since I know it’s illegal to drive 60 miles per hour in a 45 mile per hour zone, that I’m qualified to be a lawyer. Does that little bit of knowledge make me qualified to practice law? I think not.

To turn this around and not have this just be my rant, here are some things you can do to increase your website security. This is advice from someone “in the trenches” (someone that “does”).

  1. First, make certain that someone is responsible for updating your software and your plugins. Don’t even think this is the same as that blog post referenced above about making it your web developer’s responsibility.

    I want you to be certain that it’s someone’s responsibility to login to your WordPress, Joomla, etc… and check for any core updates or any plugins, components, modules, etc. updates at least once every two days.

    You check your Facebook, Twitter, (insert other social media sites here) numerous times a day and that does nothing for your website security. So why not login to your website and see if there are any updates?

  2. Next, activate your log files. If you’re on a hosting account with cPanel, most hosting providers will have the Access logs off by default. They know that storage costs can sky rocket and drives their prices up and they know that probably nobody ever, other than us, ever reads them so they have access logs deactivated. However, that is the first thing we do when we log into your cPanel account is to activate them.

    In your main cPanel window, look for the section titled, “Statistics”. You’ll see an icon for “Access Logs”. Click on that and put a check in the top two boxes. This activates the logs and “flushes” the previous months logs at the end of each month. This prevents your local storage from going through the roof and having your account deactivated for performance issues.

    As much as I hate to admit it, nobody can guarantee your website will never get infected. However, with a forensic audit trail, we can at least determine how it happened so we can take steps to insure that the possibility of your website getting infected again, is less.

  3. Consider your circle of trust. Shameless plug: https://www.youtube.com/watch?v=oCLRaonXf8M

    We created this video to help you understand the concept of trust. If you use a web developer, an SEO expert, a blogger, an administrator, or a security company, you must realize that you’re trusting people they trust – without even knowing them. You should start analyzing your circle of trust.

    Watch the above video. Start thinking about who you trust.

  4. Create a separate FTP account for each user.

    If you have a web developer, an SEO expert and yourself all accessing your files, create a separate FTP account for each of you. That way if your website is infected via FTP, you (or us) can see in the FTP logs which user account was compromised and used to upload infectious/infected files to your website.

    Without that, you’ll only see one account and now you have no idea who’s computer was used to steal the FTP password.

    Often times, we see websites infected due to stolen passwords. These passwords are stolen by a virus/trojan on someone’s local computer and when that person logs into the website, either through FTP, CMS login, cPanel, etc., the virus/trojan steals the login URL, the username and password, sends it to the hacker’s server where it logs in as a valid user and uploads or injects malicious code.

  5. If you are using cPanel, create a separate cPanel account for each website.

    Then, if one website gets infected, the chances are the other sites will not due to the separation of accounts.

    You can suspend the infected website (cPanel account), get the malware removed and the website secured, then reactivate it – all without disrupting the other websites.

  6. Monitor your files.

    No, this is not another shameless plug. But the fact is that hackers are constantly changing their tactics. The only sure way to detect when your website has been infected is to monitor the files constantly. Not just once a day. Not from the outside like a browser. But actually monitor all the files and folders frequently to see if any file or folder has been added or changed.

Notice the slant above?

It presumes that your website will get re-infected.

That’s right!

Nobody can guarantee that your website will not get infected – NOBODY!

Understand the hackers are making money off of their work. They will not stop. All you can do is to follow advice from someone “in the trenches” and take the necessary steps to make your site less prone to being infected, setup a strategy for early detection and remediation and get back to doing what it is you do.

Post a comment about your thoughts on this.